1. Terminology Worm –A computer program that duplicates itself over computer networks. Virus –A computer program that inspects it’s environment and copies itself into other programs. Trojan Horse –A useful computer program that has been compromised with extra code to do non desired stuff

2. The First Virus Created in 1983 (5 years before one was released into the internet) Created by Len Adelman (founder of RSA) The virus was implanted into the UNIX vd command –The virus was tested 5 times in a controlled lab –In each case, all system rights were granted in under an hour. –Later tested on VMS, VM/370, and Tops-20 with the same results

3. Short Sighted System Administrators Early designers of viruses were Len Adelman, Fred Cohen, Tom Duff, and Doug McIlroy –They were called White-Hat scientists –They encountered resistance to virus research. –Fred Cohen, 1987 “Once the results of the experiments were announced, administrators decided that no further computer security experiments would be permitted on their system. The ban included the planned addition of traces which would track potential viruses and password augmentation experiments which could potentially have improved security to a great extent. This fear reaction is typical, rather than try to solve technical problems technically, inappropriate and inadequate policy solutions are often chosen”

4. Short Sighted System Administrators More Fred Cohen “After several months of negotiation and administrative changes, it was decided that the experiments would not be permitted. The Security officer at the facility was in constant opposition to security experiments, and would not even read any proposals. This was particularly interesting in light of the fact that it was offered to allow system programmers and security officers to observe and oversee all aspects of all experiments. In addition, system administrators were unwilling to allow sanitized versions of log tapes to be used to perform offline analysis of potential threat of viruses, and were unwilling to have additional traces added to their systems by their programmers to help detect viral attacks. Although there is no apparent threat poses by these activities, and they require little time, money, and effort, administrators were unwilling to allow investigations.”

5. As a Result… Robert Morris launched the first internet worm on November 2 nd, 1988 It invaded ~6,000 computers within hours (10% of the internet at the time) Instructions were posted on how to stop the worm, but the computer the instructions were posted on was disabled by the worm before anyone read the instructions. Estimated damage ranged from $10,000 to $97 million ( shows how hard cyber crime are to estimate)

6. How it worked Buggy Code –Exploited a buffer overflow problem in the finger daemon. –And a hole in the UNIX sendmail daemon When sendmail was run in debug mode, sendmail would execute commands the worm sent it At that time most programs ran in “debug” mode to generate traces of execution Clueless Users –The worm used a dictionary of just 432 words to crack passwords –And it tested the password file against the dictionary in a random order.

7. Why it worked Many sites were running old versions of the fingerd daemon –The buffer overflow was know about and fixed BEFORE the worm attack –Shows the importance of upgrading software Sendmail’s vulnerability –Large, buggy, and networked Poor passwords –Users picked guessable passwords. –Many used their user id as their password

8. Results of the worm Formation of CERT –CERT is the “center of Internet security expertise” –Run by Carnegie Mellon University –www.cert.orgwww.cert.org Heightened awareness of computer system vulnerabilities

9. Types of Viruses/Worms Macro Virus –Usually infects Microsoft Office and Outlook Express –Cross platform. The Microsoft products give a base platform to run in. –Usually passed by trading documents –viruses email themselves out using the address book in outlook –Automatically activated by being named the same as macros Office/Outlook runs automatically when opening or closing a document (AutoOpen, AutoClose).

10. Types of Viruses/Worms Boot sector –Effects the boot sector of the hard drive –Usually spread by trading programs –Most can’t spread via the net Polymorphic –Changes itself every time it is copied to avoid detection. –Virus signatures don’t work on these viruses because the signature changes each time. –May even use encryption to hide itself.

11. Types of Viruses/Worms Multipartite –Infects both the boot sector and files –Spreads via the network infecting files which in turn infects the boot sector. Stealth –Inserts code between the end application and the kernel. –Gives results to the application that the application would expect. –May remove itself from the media while the system is running, to avoid virus detection, then copies itself back to the media when the system is shut down.

12. Types of Viruses/Worms Retro –Tries to attack anti virus software directly. –Usually tries is to change the “signature” file to avoid detection Armored –They make themselves difficult to get a “signature” from. –They are tightly wound around an executable so that it is hard to tell the executable from the virus Companion –Attaches to an executable and copies the executable to the same name but with a different extension. Phage –A Virus that modifies another program to “morph” the good program to become a virus.

13. Anti Viral Software A database of “signatures” are kept on the local machines. All data coming into or out of the computer is scanned and compared bit by bit to the “signatures” Problem –Reactive – only discovers viruses/worms after the fact –Dumb – any minor change in the virus signature makes the anti-virus program useless –No substitute for good security practices. –Active scanning only probes known ports